We met Cliff Stoll, an astronomer turned computer wizard at Lawrence Berkeley Lab in California. Once of Cliff’s first tasks is to figure out an accounting error that amounted to $0.75 of CPU time. He investigates and finds the error is tied to a mysterious user account named Hunter. He can’t find the source of the account so he deletes it.

Locard’s Exchange Principle

We use this opportunity to discuss Locard’s Exchange Principle. Edmund Locard is considered by many to be the father of modern forensic science. His principle states, “The perpetrator of a crime will bring something into the crime scene and leave with something from it.” This is the basis for all forensic investigations. Locard has a particularly nice quote on the subject:

“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”

In class, we discussed the principle as the basis for computer forensic investigations as well. We did a couple activities to exercise our minds and think about things taken and left behind. One in relation to a physical theft, another in relation to the 2017 Equifax breach.

Level 1: Pick a crime in your local newspaper and break down what could have been left behind.

Level 2: Pick an attack time from this list: https://attack.mitre.org/wiki/Main_Page. Consider your network or make up a fictional network. Research the attack and determine what might be left behind and how you might gain visibility into it.

Cliff gets a weird e-mail from a system called DOCKMASTER. The system owner claims that someone from LBL tried to break into his computer. Eventually, Cliff figures out this system belongs to a Naval Shipyard. He correlates timestamps provided by DOCKMASTER and finds the user Sventek was active at this time. He also discovers two logging systems reporting different timestamps for the activity. While odd at first, this turns out to be related to time drift between two system clocks.

Timestamps

The investigation work Cliff is conducting is contingent on logs that contain timestamps, which he uses to perform time-based correlation. It’s easy to think of timestamps as a trivial thing, but they are far from it. Most investigations require examination of multiple data sources to build a clear picture of what events have transpired. To properly query data and sequence events, we need accurate timestamps.

There are multiple challenges between an investigator and reliable, consistent timestamps. We discussed syncing timestamps, time sources, network time protocol (NTP), W32Time, and how Windows domain members sync time. We also discussed the challenges associated with timezones and daylight savings time with plenty of confusing examples (Seriously, Samoa?)

I showed multiple examples of timestamps, and also showed a log collection pipeline and Logstash configuration files used to adjust timing and define timestamps. Finally, I listed a few best practices for dealing with timestamps that include: syncing all systems to the same source, utilizing UTC time in your investigation tools, and using ISO 8601 compliant timestamps.

Level 1: Determine where your system is syncing time from and change it to another source.

Level 2: Setup your own NTP server and configure your system to sync from it.

Level 3: Capture network traffic while syncing with your own NTP server. Examine each field, and try to determine the function of each one.

Cliff eventually learns that the Sventek user is not on campus and is unlikely to be using his account. Considering the anomalies encountered with the Hunter and Sventek accounts and the report from DOCKMASTER, Cliff begins to suspect someone has broken into his network. He takes matters into his own hands and builds a monitoring system. He writes a program to log keystrokes on his systems and connects them in between the system and the external modems. He connects physical printers to these systems to print out commands as people are entering them while dialed in remotely. He sleeps in his office all weekend to monitoring these connections and awakens one night to find something very interesting…

It’s time for the next evolution of our mission, and that is a student charitable profit sharing program. Now, AND students will have a say in where a portion of their course proceeds go. Periodically, AND students will have the opportunity to submit a charity to receive a donation. After nominations have been received, the collective group will vote and we will select 2-5 winners to receive a donation.

If you are a current or former student of mine, I want you to know that my life is enriched by having been able to interact with you. Now, I’m thrilled to be able to help you contribute to causes that matter to you as well. It’s very important that people who purchases training from AND know that they aren’t just educating themselves by doing so, they are enriching the lives of others too. This is another way for us to do that, together.

Today I want to talk to you about forcing decisions and how you can use the concept to gain a strategic advantage in your infosec work.

Over the past few years, the Golden State Warriors have revolutionized the game of basketball while winning two NBA championships and putting up record-setting numbers in a variety of statistical categories. They aren’t just winning, they’re dominating and changing how people approach the game at a fundamental level. There are a lot of reasons for this, but none more apparent than their fast-paced offense that is built around passing.

I recently read an article from ESPN describing how Warriors coach Steve Kerr formulated his offense. The article’s worth reading if you care about basketball, but even if you don’t I think there’s one quote in there that’s relevant beyond basketball. The Warriors star player, Steph Curry, had this to say:

“The main goal is to just make the defense make as many decisions as you can so that they’re going to mess up at some point with all that ball movement and body movement and whatnot.”

The concept is simple but powerful. When a player makes a pass to another player, it forces the five defenders to make a decision and react. There are a lot of variables that have to be considered very quickly.

Now, let’s say that as soon as the second player receives a pass, they make another pass. What happened?

It forces the defense to consider a new set of variables, probably before they’ve had a chance to fully react to the variables encountered from the first pass. This mental reset causes confusion and slows the ability to react with the correct adjustment. Every quick pass compounds the opportunity for confusion. The Warriors rely on this to succeed, and it’s one of the reasons they track their passes per game statistic aggressively.

Watch the guys in blue. Notice how lost they look after the first few passes? They’re lost! A couple of them have basically given up on the play by the time the shot goes up.

Of course, this concept goes well beyond basketball. It relates to all decision-making.

Forcing Attacker Decisions

Any time you make a decision you are processing all available information. Good decision making is based on understanding every variable and having time to thoughtfully process the data. I believe network defenders are in a unique position to force poor attackers into poor decisions.

Home court advantage matters.

The attacker doesn’t know your network. To learn it, they have to go through a period of iterative discovery. An attacker gains access to something, pokes around, gains access to something else, pokes around more, rinse and repeat. The attacker doesn’t know your network, but they will learn it as they move closer to their objective. Each step of discovery provides an opportunity to force decisions through the strategic introduction of information. When this happens, an attacker might do something aggressive enough that it trips a signature, pivot around rapidly and leave a few extra breadcrumbs in your logs, or withdraw completely.

Let’s talk about a few ways you can accomplish this.

Honeypots. I’m not talking about traditional external malware-catching honeypots that we’ve all set up and forgotten about. Production honeypots sit inside the network and are designed to mimic systems, processes, and data. Nobody should ever access these things, so any access constitutes an alert worthy event. Beyond detection, internal honeypots can also serve to confuse attackers and waste their time. Security is an economic problem and when defenders can increase the cost of an attack, this can serve to ward off opportunistic or lesser resourced attackers.

Deception Traps. The use of deception tech (beyond honeypots) is on the rise, and I think we’re well behind on leveraging these concepts. I’m not talking hacking back or security through obscurity — I’m talking passive engagement of attackers on your home court through automated traps. These are the traps that, when interacted with, provide information to an attacker that can confuse their understanding of the network itself. For example, IP space that responds to scans, but houses no systems. Perhaps some of those systems respond differently to scans depending on the source or time of day. Another example might be web application directories that when accessed, redirect the user to random pages or create endless redirect loops. One last example might be running processes on a system that appear to be named after multiple antivirus binaries. That would certainly be confusing to see multiple AV tools on a single system. One more — what if an attacker discovered user accounts and logs that indicate they aren’t the only attacker on the system? That might cause them to make a hasty retreat or try an aggressive pivot. These ideas aren’t exclusively about detection (although they could be used in that way). They’re about providing confusing information at inopportune times.

Scheduled Shutdowns and Restricted Logon Hours. It’s insanely easy to configure systems to shut down during off-hours and to limit certain user accounts to specific login hours. Yet, I never see anyone doing it. Sure, you have to account for users who might work late and keep systems up so that they receive important updates. However, forcing these schedules will throw an attacker who is poking around on your network off. They will likely figure it out eventually, but that still gives them a time window wherein decisions could become hastened when they know the deadline is approaching. There’s no better way to force decisions than to put a time limit on them. As an added bonus, limiting login times can help workers maintain a healthier work/life balance, and shutting systems down lowers your electric bill and is good for the environment.

Conclusion

These strategies won’t completely stop the attacker, but they do have the potential to slow them down enough so that you may detect them before they reach their goal and you’re dealing with a larger breach. Furthermore, it increases the attacker’s cost and effort to reach their goal, and this might just be enough to ward off opportunistic attackers or attacks based on automated processes.

While these techniques aren’t appropriate for every security program maturity level, they provide an opportunity for innovation in the open source and commercial product space.

The Warriors succeed because they tried something different using the skillful talent they had. You can do the same, but like Steve Kerr and Steph Curry, you may need to think differently and apply a unique strategy. The fundamentals matter, but so does being different.

My challenge to you: Think of a way you can force an attacker into making a bad decision. Have some cool ideas? Post them in the comments below.

This week I’m joined by Rick Holland, VP of Strategy for Digital Shadows. Rick is a Texan, so we kick things off right by talking BBQ. After that, we dive into his origin story where he describes his time in the Army and what he learned there. I also ask him about his time as a Forrester analyst and whether analyst firms are pay to play, and whether they have a negative impact on the security industry. Finally, we discuss the evolution of threat intelligence in the security field.

If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Rick know by tweeting at him @rickhholland. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

We kick off season two by welcoming Richard Bejtlich onto the podcast. Richard spent the bulk of his career helping further the evolution of network security monitoring through stints at AFCERT, GE, and Mandiant. We talked about his career evolution, the future of computer network defense, the revolution of private intelligence, and how he almost became an astronaut.

Richard chose to support 4 Paws Animal Rescue with his appearance, which is where he got both his family cats.

If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Richard know by tweeting at him @taosecurity. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Stay Updated!

I use my mailing list to send out exclusive content, training discounts, and it's the best way to stay up to date on new classes I conduct on topics like network security monitoring, packet analysis, technical writing, and more.

* indicates required

Email Address *

First Name

Last Name

Applied Network Security Monitoring

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach, complete with real-world examples that teach you the key concepts of NSM.

Practical Packet Analysis

It's easy to capture packets with Wireshark, the world's most popular network sniffer, whether off the wire or from the air. But how do you use those packets to understand what's happening on your network? This extensively revised second edition of the best-selling Practical Packet Analysis will teach you how to make sense of your PCAP data.

100% of the author royalties for sales of Practical Packet Analysis go to support the Rural Technology Fund

Rural Technology Fund

Established in 2008, the Rural Technology Fund (RTF) seeks to reduce the digital divide between rural communities and their more urban and suburban counterparts. This is done through targeted scholarship programs, community involvement, and the general promotion and advocacy of technology in rural areas.